From owner-freebsd-net@FreeBSD.ORG  Mon Sep 11 13:09:30 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 52F5B16A407
	for <freebsd-net@freebsd.org>; Mon, 11 Sep 2006 13:09:30 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C850743D53
	for <freebsd-net@freebsd.org>; Mon, 11 Sep 2006 13:09:29 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k8BD9PIW012136
	for <freebsd-net@freebsd.org>; Mon, 11 Sep 2006 15:09:27 +0200
Received: by smtp.zeninc.net (smtpd, from userid 1000)
	id B0F2A3F17; Mon, 11 Sep 2006 15:09:19 +0200 (CEST)
Date: Mon, 11 Sep 2006 15:09:19 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060911130919.GA23541@zen.inc>
References: <450536E9.2010106@ispinfo.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <450536E9.2010106@ispinfo.fr>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re: NAT+IPSEC toubles
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2006 13:09:30 -0000

On Mon, Sep 11, 2006 at 12:14:01PM +0200, Administrators wrote:
> Hi,

Hi.


> I'm building VPN connected to CISCO device.
> 
> I NEED to translate my LAN adress to a given adress.
> 
> The VPN work well when I try doing
> ifconfig em0 alias _given_@_
> ping -S _given_@_ dest_@
> 
> but I didn't manage to translate LAN adresse AND having VPN used.
> 
> I can pass throug VPN using actual adress but the CISCO endpoint drop it
> or I translate, but packets didn't go in the VPN.
> 
> Any idea ?

The IPSec stack is hooked before NAT process (AFAIK), so it is not
possible to do that  on a single box.


It is still possible to do what you want, but you'll have to revert
IPSec and NAT part in ip_input / ip_output sources.

If lots of people are interested in that, I can add "doing a NAT/VPN
order patch" to my TODO list...


Yvan.

-- 
NETASQ
http://www.netasq.com